RubinBrown is here to help you navigate the nuaces of SOC reporting.

Ways RubinBrown can help:

• Collaborate with your team, while working remotely.
• Evaluate the various SOC report types and help you select which report best suits your needs as a growing service organization and the needs of your customers.
• Explain the time and resource commitments required to obtain one of the SOC reports noted below.
• Provide a hands on risk assessment process, lead by an experienced member of our SOC team, to help you understand the requirements of each control objective and/or trust services criteria and what that means for your business.
• Reduce the ongoing audit burden through establishing open communication, clear expectations, and transparent project tracking tools.

• Cost and time efficiencies as a result of working with a team who works on SOC examinations day in and day out.
• A customized way to link your organization's business to relevant control activities.
• A quality deliverable that your organization will be proud to present to customers and/or prospects.

The variety of SOC reports offerings available to service organizations include:
 

• SOC 1^® — SOC for Service Organizations, ICFR: These reports are specifically designed to address controls at the service organization that are relevant to the user entities’ financial statements. They enable user auditors to perform risk assessment procedures and obtain audit evidence about whether controls at the service organization are operating effectively. Use of these reports is restricted to management of the service organization, user entities and user auditors.
• SOC 2^® — SOC for Service Organizations, Trust Services Criteria: These reports address controls relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information these systems process. They provide a level of detail sufficient to address the user’s vendor risk management needs and are restricted to specified parties with sufficient knowledge and understanding of the service organization’s system and the nature of services it provides. Use of these reports generally is restricted to service organization management, user entities of the system, business partners, CPAs providing services to user entities and business partners and regulators.
• SOC 3^® — SOC for Service Organizations, Trust Services Criteria for General Use Report: Like SOC 2^®, these reports address controls relevant to security, availability, processing integrity, confidential and privacy. However, they do not provide the same level of detail. Therefore, they are considered general use reports and can be freely distributed.

The following SOC reports are available to entities beyond just service organizations:

SOC for Cybersecurity: These examinations provide an independent, entity-wide assessment of an organization’s cybersecurity risk management program.  Using this report, organizations can communicate pertinent information regarding their cybersecurity risk-management efforts.  In addition, the report can be used to educate stakeholders about the systems, process and controls the organization has in place to detect, prevent and respond to breaches.

SOC for Supply Chain: These examinations report on controls over a manufacturing, production or distribution system and communicate to stakeholders relevant information about the entity’s supply chain risk-management efforts, processes, and controls in place to detect, prevent and respond to supply chain risks.

• You’ve been asked to provide a client (or future client) a report on your controls / security.
• A client requires a SOC 1^®, SOC 2^® or other SOC report.
• A future client is requiring an independent assessment related to the Cloud Control Matrix, HITRUST, ISO 27001, NIST 800-53 or another regulation or framework and you would like to report under one framework.
• Your security team is spending too much time filling out security questionnaires.
• Your compliance office, finance, legal or internal control/security groups are spending too much time filling out control questionnaires.

RubinBrown's Audrey Katcher has over 25 years of IT audit and service organization control experience. She currently serves on various AICPA SOC and technology working groups and task forces. Audrey's participation on these key AICPA committees provides clients the most current perspective the profession has on the new SOC standards and audit guidelines.

RubinBrown's Rob Rudloff has more than 25 years of information security experience on security reviews, mitigation, strategy and architecture development. Rob is a Certified Information Systems Security Professional, Information Systems Security Management Professional, Certified Cloud Security Professional and a Project Management Professional.

RubinBrown's Christine Figge has over 20 years of public accounting and consulting experience. Christine offers a unique perspective to the SOC process since she has used the reports as an auditor, assisted management in developing their description and controls identification, and performed the attestation services related to issuing SOC reports for clients.

RubinBrown professionals maintain a current working knowledge of the new standards and are ready to help your organization. RubinBrown is an experienced team who has led and performed many SOC engagements.